Score:1

Reduce amount of network traffic by filtering attackers in AWS

cn flag

just installed a simple django web application in an AWS EC2 instance. The instance is always on, but currently not used by anyone (it is still in development). Recently AWS is accounting lots of money due to network traffic. When the apache2 service is on, there is a LOT of traffic on port 80, and looking at netstat looks like brute force attacks to go inside the django app.

I suppose I cannot simply close port 80, since when the app is going to be live that port should be open.

Any idea on how to prevent this network traffic?

Many thanks

Score:1
id flag
MLu

There's a lot of options. How much traffic do you expect under normal circumstances? And from where (i.e. from which countries)? What if the website is temporarily inaccessible, does it matter? Probably not so much for a blog, probably yes for an e-shop. Also note that incoming traffic is free so what you want is to reduce the outbound traffic out from the cloud.

You can for example:

  • Rate-limit connections to port 80 and 443 from each IP to some reasonably expected rate + some buffer and drop the excess. For example using the iptables "recent" module. It's a bit of a harsh but cheap measure and it will definitely reduce your outbound traffic.

  • Use CDN (Content Delivery Network) with a WAF (Web Application Firewall). In AWS you can use CloudFront + AWS WAF, or use a 3rd party like CloudFlare. That way you can block the malicious / DoS traffic before it reaches your web server.

  • Also work on configuring the correct caching settings for your website. For example images, JS and CSS files can probably be cached for many days or more, dynamic pages probably can't. With the correct caching your assets won't have to be reloaded from the server that often which will further reduce the outbound traffic.

Hope that helps :)

Tim avatar
gp flag
Tim
Agree with this. Also, during development, use a security group to whitelist your IP. CloudFront free traffic allowance also increased, the caching will help use that bandwidth. You can also use CloudFront to whitelist / blacklist specific countries. I might also block port 80 entirely and force all traffic to use https without a redirect, web browsers will try https first these days anyway unless http is specified. I wonder if putting an ALB in would help add an additional layer of protection, but doubt it would help all that much.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.